[arin-ppml] Whois doesn't violate privacy, people do (was: SWIPs & IPv6)
Since you elected once again to ignore (or in this case delete) the
substantive, policy relevant questions that I posed to you, I decided
to resend them one more time, under a subject line that better
illuminates the inconsistency and weakness in your reasoning about
whois as compared to other real, potential, and imagined threats to
Would still welcome a substantive response or two...
On Dec 5, 2009, at 4:11 PM, Milton L Mueller wrote:
> Thanks, Lee, I will take a look at that. But note that I have been
> through a similar debate on the DNS side, and the more I learned
> about the LEA position the more I realized that standard protections
> and procedures should apply. Indeed, I have discussed this with
> several LEAs in Europe who will admit (privately) that they use
> Whois to avoid legal constraints and that doing so has no
> justification other than their own convenience and that open access
> to the information is often abused or leads to abuse by third parties.
The real problem is the act of *misuse* of identifying information,
and not the legal status or identity of the party misusing it, or the
particulars of how the misused information was come by. And given
that, your demand for what boils down to the imposition of prior
restraint on an essential component of Internet technical coordination
represents a strange, if predictable, departure from your otherwise
panglossian insistence that post-facto individual legal remedies are
always and everywhere sufficient to handle any unfortunate side-
effects of private market behavior. Why don't you counsel those
alleging "whois abuse" to simply address their grievances to the
courts, the same way that you counsel victims of abusive private
sector practices or the exercise of anticompetitive market power to
take it to the judge?
>>> In other words, Whois doesn't violate privacy; the policies and
administrative practices that sustain whois as a viable mechanism for
technical coordination don't violate privacy; *people* who misuse
whois violate privacy. Why should
List members may find the contrast between what you're advocating here
and what you advocated in the run-up to the privatization of DNS
In your October 1997 CATO Institute Briefing Paper, "Internet Domain
Names: Privatization, Competition, and Freedom of Expression," you
> The Burden of Proof on Applicants for Domain Names
> Some people have suggested that domain name applicants be required
> to demonstrate that they have a basis for requesting a particular
> domain name. Further questions then arise. What information should
> be supplied? Who should evaluate the information? What basis or
> criteria should be used?
> Those questions are helpful but need to be reframed. The answers to
> them can come only from the policies name registries adopt to
> prevent name speculation and to control the secondary market for
> names. Name speculation is a form of arbitrage. Speculators attempt
> to exploit the gap between the price of registering a name and the
> higher value of that name to some other potential user. Name
> speculation thus provides a clear signal that the primary
> distributor of name registrations is not exploiting the full
> economic value of its name resources.
> The best long-term solution to this problem is privatization of name
> registration and expansion of TLD space. It is in the rational self-
> interest of commercial registries to manage name resources actively
> rather than passively. Just as airlines or movie theater owners do
> not allow aggregators and wholesalers to buy up all available seats
> and resell them to end users, so it seems unlikely that private,
> profit-motivated name registries would allow speculators, rather
> than themselves, to exploit the full economic value of their
> namespace. As the namespace becomes privatized and commercialized,
> it seems likely that more active monitoring of who is applying for
> names and why would take place. Administrative policies such as this
> are much preferable to intellectual property law as a solution to
> problems of name speculation.
Full text here:
This little nugget is full of telling observations -- from your unique
"theory of speculation" to your predictions about how privatization
and competition would influence the policy-setting behavior of
commercial domain registries. I'm guessing that you'd still stand by
these recommendations, even knowing that one consequence of their
implementation has been the permanent elimination of DNS whois as an
effective mechanism for inter-domain technical coordination, but feel
free to surprise me.
Arguably, history has demonstrated that DNS whois was, in fact,
expendable. However, that's only because the underlying/parallel
inetnum whois provided a sufficient if not superior mechanism for most
technical coordination requirements. The whois functions provided by
the RIRs are different in kind than DNS whois, and for those functions
there is no plausible substitute -- or at least none that can be
provided by voluntary private action.
So, for the present discussion, I would highlight the last two
sentences of this passage, and ask Milton why "administrative
policies" such as the ones that make inetnum-related whois viable
should not be preferred over the imposition of legally (i.e.,
nationally) mandated compulsory address resource registration, which
is likely to be the only alternative?
I know you're not big on actually answering practical, policy-relevant
questions in any substantive way. That's your prerogative.
But I'll keep asking them anyway, if only to remind other readers of
your long-standing disinclination to put any of your own ideas to any
meaningful, real-world test.
Begin forwarded message:
> From: tvest at eyeconomics.com
> Date: December 3, 2009 3:38:38 PM EST
> To: Milton L Mueller <mueller at syr.edu>
> Cc: "arin-ppml at arin.net (arin-ppml at arin.net)" <arin-ppml at arin.net>
> Subject: Re: [arin-ppml] SWIPs & IPv6
> On Dec 3, 2009, at 3:15 PM, Milton L Mueller wrote:
>> there's a logical fallacy in your attempt to avoid the drivers
>> license (DL) analogy: you have assumed that defeating the analogy
>> justifies the existing system, in which anyone has access to
>> potentially sensitive contact information.
> Hi Milton,
> Is there some reason that you ignored the questions in the message
> that I sent *before* I responded to Chris' driver's license analogy?
> It seems to have founds its way safely to the ppml archive:
> On the outside chance that you didn't receive the message, I've
> copied it again below.
> I'm assuming here that you're not planning to "defeat" my questions
> by simply ignoring them...?
> I think that defeating them in the more conventional way (i.e., by
> answering them) would be more constructive.
> As you may note, the questions that I posed to you have nothing in
> particular to do with specific institutions, past, present, or
> imaginary. They have to do with properly defined functions of an
> Internet protocol number resource registry, and the source(s) of
> incentives and disincentives that might make it possible for a
> properly functioning registry to be sustainable over time (a) based
> solely on voluntary participation, and/or (b) in an environment of
> competitive registration service delivery.
> I look forward to your responses.
>>> Privacy norms, standards and laws are well known and not that hard
>>> to apply to this case.
>>> Here is a link to a boilerplate explanation of basic data
>>> protection principles:
>>> Respectful suggestion: do some homework on how this issue gets
>>> handled before wading into a policy arena with global human rights
>> Hi Milton,
>> Thanks for the respectful suggestion. I will take it under
>> However, I would respectfully suggest that providing more
>> substantive answers here would be useful both to you (if your goal
>> is, in fact, to help inform number resource policies), as well as
>> to those list members who are not likely to go off and do a lot of
>> homework on this issue.
>>>> 1. Would you say that the proper balance between these two opposing
>>>> goals is reflected in current DNS whois arrangements?
>>> Absolutely not. (And you know perfectly well that I've answered
>>> this question, not only on this list, but in lengthy scholarly
>>> articles, and in years of work on DNS Whois Working Groups and
>>> Task Forces.)
>>> It would be very easy for DNS Whois to contain the requisite
>>> technical information needed for both law enforcement and
>>> technical management without providing indiscriminate public
>>> access to anyone and everyone, for any purpose.
>> Okay, in that case I call:
>> 1. Could you suggest how, exactly, a registration/whois system can
>> be both very accurate, very reliable, and very easy for technical
>> administrators to access (when justified) for real-time network
>> management requirements*, while at the same time satisfying the the
>> legitimate* privacy concerns of the individuals and institutions
>> who are represented in that registration data?
>> 2. Could you also suggest how those conditions that are accurately
>> deemed to be legitimate*, required*, etc. by both groups might be
>> sustained over time? Specifically, if revelation of whois
>> inaccuracies is generally only possible as a result of outages or
>> other "events" that require technical administrator action, and
>> discovery of correct whois information in such cases is generally
>> only possible through legal mechanisms (warrants, subpoenas,
>> lawsuits, registry disaccreditations, etc.) which do not operate at
>> time scales that are consistent with real-time network management,
>> what method(s) would you propose for reconciling this critical
>> 3. Finally (and if appropriate), could you also suggest how those
>> conditions might be preserved in an environment of competitive
>> commercial provision of registration and whois services?
>> Specifically, what mechanisms would you recommend to encourage
>> registration and whois service providers to maintain the proper
>> level of investment in and ongoing support for this secondary, non
>> profit-making function? What mechanisms would you advocate to
>> assure that individual commercial registration and whois service
>> providers resist the temptation to differentiate themselves by
>> cutting their whois-related support and/or by relaxing their whois-
>> related customer requirements?
>> Since (3) presumes that you advocate the competitive provision of
>> registration and whois services, with at least some competitors
>> being private/not-governmental entities, please disregard this
>> question if this presumption is inaccurate.
>>> The only reason this doesn't happen: DNS Whois arrangements have
>>> been hijacked by trademark protection firms, LEAs too lazy to get
>>> the proper authorizations, and by companies that collect and sell
>>> the data for various and sundry purposes. See data protection
>>> principle #2 for my opinion about that.
>> If I'm interpreting your reference correctly, data protection
>> principle #2 reads:
>> "Personal data shall be obtained only for one or more specified and
>> lawful purposes, and shall not be further processed in any manner
>> incompatible with that purpose or those purposes."
>> If we stipulate for the moment that we're only talking about
>> protocol number whois as used for legitimate technical
>> administrative purposes that are consistent with the law, then the
>> relevance of data protection principle #2 is still ambiguous. One
>> justification for open public whois is that public scrutiny
>> provides a kind of continuous distributed error detection and
>> correction mechanism, which helps to maintain whois completeness
>> and accuracy in between those critical moments when technical-
>> administrative action is both legal and justified -- and at which
>> points the belated discovery of whois inaccuracies can have the
>> most adverse consequences.
>> Is it your view that the very existence and/or maintenance of
>> accurate personal data should be subject to a different, higher
>> standard than the standard suggested by data protection principle #2?
>>>> 2. Are the "legitimate privacy concerns" of artificial
>>>> persons (i.e.,
>>>> corporations) different from the "legitimate privacy concerns" of
>>>> natural persons?
>>> Sigh. Overlooking your complete ignorance of applicable law, I
>>> will simply answer yes.
>>> The distinction is well-established in law, not to mention common
>>> sense. Yes, Tom, there are differences between the privacy rights
>>> and legal norms applicable to publicly registered corporate
>>> entities and flesh and blood persons and their homes and personal
>> Ignoring the insult, I'll just observe again that a less clever but
>> more substantive response would have probably been more useful, to
>> you and everyone else.
>>>> If so, how -- and how should the differences be
>>>> reflected in rotocol number-related registration data and whois?
>>> Yes, of course the differences should be reflected. How? Not that
>>> hard, but as I said in my last message, let's debate specific
>>> arrangements and proposals, not ideology.
>> Excellent. Here's your chance to debate specifics.
>> It's good to know that it won't be that hard...